Package rsa

Overview ▹

Overview ▾

Package rsa implements RSA encryption as specified in PKCS#1.

RSA is a single, fundamental operation that is used in this package to
implement either public-key encryption or public-key signatures.

The original specification for encryption and signatures with RSA is PKCS#1
and the terms "RSA encryption" and "RSA signatures" by default refer to
PKCS#1 version 1.5. However, that specification has flaws and new designs
should use version two, usually called by just OAEP and PSS, where
possible.

Two sets of interfaces are included in this package. When a more abstract
interface isn't necessary, there are functions for encrypting/decrypting
with v1.5/OAEP and signing/verifying with v1.5/PSS. If one needs to abstract
over the public-key primitive, the PrivateKey struct implements the
Decrypter and Signer interfaces from the crypto package.

The RSA operations in this package are not implemented using constant-time algorithms.

Examples

Package files

Constants

const (
// PSSSaltLengthAuto causes the salt in a PSS signature to be as large// as possible when signing, and to be auto-detected when verifying.PSSSaltLengthAuto = 0
// PSSSaltLengthEqualsHash causes the salt length to equal the length// of the hash used in the signature.PSSSaltLengthEqualsHash = -1
)

Variables

ErrDecryption represents a failure to decrypt a message.
It is deliberately vague to avoid adaptive attacks.

OAEP is parameterised by a hash function that is used as a random oracle.
Encryption and decryption of a given message must use the same hash function
and sha256.New() is a reasonable choice.

The random parameter, if not nil, is used to blind the private-key operation
and avoid timing side-channel attacks. Blinding is purely internal to this
function – the random data need not match that used when encrypting.

The label parameter must match the value given when encrypting. See
EncryptOAEP for details.

DecryptPKCS1v15 decrypts a plaintext using RSA and the padding scheme from PKCS#1 v1.5.
If rand != nil, it uses RSA blinding to avoid timing side-channel attacks.

Note that whether this function returns an error or not discloses secret
information. If an attacker can cause this function to run repeatedly and
learn whether each instance returned an error then they can decrypt and
forge signatures as if they had the private key. See
DecryptPKCS1v15SessionKey for a way of solving this problem.

DecryptPKCS1v15SessionKey decrypts a session key using RSA and the padding scheme from PKCS#1 v1.5.
If rand != nil, it uses RSA blinding to avoid timing side-channel attacks.
It returns an error if the ciphertext is the wrong length or if the
ciphertext is greater than the public modulus. Otherwise, no error is
returned. If the padding is valid, the resulting plaintext message is copied
into key. Otherwise, key is unchanged. These alternatives occur in constant
time. It is intended that the user of this function generate a random
session key beforehand and continue the protocol with the resulting value.
This will remove any possibility that an attacker can learn any information
about the plaintext.
See “Chosen Ciphertext Attacks Against Protocols Based on the RSA
Encryption Standard PKCS #1”, Daniel Bleichenbacher, Advances in Cryptology
(Crypto '98).

Note that if the session key is too small then it may be possible for an
attacker to brute-force it. If they can do that then they can learn whether
a random value was used (because it'll be different for the same ciphertext)
and thus whether the padding was correct. This defeats the point of this
function. Using at least a 16-byte key will protect against this attack.

▹ Example

▾ Example

RSA is able to encrypt only a very limited amount of data. In order
to encrypt reasonable amounts of data a hybrid scheme is commonly
used: RSA is used to encrypt a key for a symmetric primitive like
AES-GCM.
Before encrypting, data is “padded” by embedding it in a known
structure. This is done for a number of reasons, but the most
obvious is to ensure that the value is large enough that the
exponentiation is larger than the modulus. (Otherwise it could be
decrypted with a square-root.)
In these designs, when using PKCS#1 v1.5, it's vitally important to
avoid disclosing whether the received RSA message was well-formed
(that is, whether the result of decrypting is a correctly padded
message) because this leaks secret information.
DecryptPKCS1v15SessionKey is designed for this situation and copies
the decrypted, symmetric key (if well-formed) in constant-time over
a buffer that contains a random key. Thus, if the RSA result isn't
well-formed, the implementation uses a random key in constant time.

OAEP is parameterised by a hash function that is used as a random oracle.
Encryption and decryption of a given message must use the same hash function
and sha256.New() is a reasonable choice.

The random parameter is used as a source of entropy to ensure that
encrypting the same message twice doesn't result in the same ciphertext.

The label parameter may contain arbitrary data that will not be encrypted,
but which gives important context to the message. For example, if a given
public key is used to decrypt two types of messages then distinct label
values could be used to ensure that a ciphertext for one purpose cannot be
used for another by an attacker. If not required it can be empty.

The message must be no longer than the length of the public modulus minus
twice the hash length, minus a further 2.

SignPKCS1v15 calculates the signature of hashed using
RSASSA-PKCS1-V1_5-SIGN from RSA PKCS#1 v1.5. Note that hashed must
be the result of hashing the input message using the given hash
function. If hash is zero, hashed is signed directly. This isn't
advisable except for interoperability.

If rand is not nil then RSA blinding will be used to avoid timing
side-channel attacks.

This function is deterministic. Thus, if the set of possible
messages is small, an attacker may be able to build a map from
messages to signatures and identify the signed messages. As ever,
signatures provide authenticity, not confidentiality.

▹ Example

▾ Example

Code:

// crypto/rand.Reader is a good source of entropy for blinding the RSA// operation.
rng := rand.Reader
message := []byte("message to be signed")
// Only small messages can be signed directly; thus the hash of a// message, rather than the message itself, is signed. This requires// that the hash function be collision resistant. SHA-256 is the// least-strong hash function that should be used for this at the time// of writing (2016).
hashed := sha256.Sum256(message)
signature, err := SignPKCS1v15(rng, rsaPrivateKey, crypto.SHA256, hashed[:])
if err != nil {
fmt.Fprintf(os.Stderr, "Error from signing: %s\n", err)
return
}
fmt.Printf("Signature: %x\n", signature)

SignPSS calculates the signature of hashed using RSASSA-PSS [1].
Note that hashed must be the result of hashing the input message using the
given hash function. The opts argument may be nil, in which case sensible
defaults are used.

VerifyPKCS1v15 verifies an RSA PKCS#1 v1.5 signature.
hashed is the result of hashing the input message using the given hash
function and sig is the signature. A valid signature is indicated by
returning a nil error. If hash is zero then hashed is used directly. This
isn't advisable except for interoperability.

▹ Example

▾ Example

Code:

message := []byte("message to be signed")
signature, _ := hex.DecodeString("ad2766728615cc7a746cc553916380ca7bfa4f8983b990913bc69eb0556539a350ff0f8fe65ddfd3ebe91fe1c299c2fac135bc8c61e26be44ee259f2f80c1530")
// Only small messages can be signed directly; thus the hash of a// message, rather than the message itself, is signed. This requires// that the hash function be collision resistant. SHA-256 is the// least-strong hash function that should be used for this at the time// of writing (2016).
hashed := sha256.Sum256(message)
err := VerifyPKCS1v15(&rsaPrivateKey.PublicKey, crypto.SHA256, hashed[:], signature)
if err != nil {
fmt.Fprintf(os.Stderr, "Error from verification: %s\n", err)
return
}
// signature is a valid signature of message from the public key.

VerifyPSS verifies a PSS signature.
hashed is the result of hashing the input message using the given hash
function and sig is the signature. A valid signature is indicated by
returning a nil error. The opts argument may be nil, in which case sensible
defaults are used.

OAEPOptions is an interface for passing options to OAEP decryption using the
crypto.Decrypter interface.

type OAEPOptions struct {
// Hash is the hash function that will be used when generating the mask.
Hash crypto.Hash// Label is an arbitrary byte string that must be equal to the value// used when encrypting.
Label []byte
}

PKCS1v15DecrypterOpts is for passing options to PKCS#1 v1.5 decryption using
the crypto.Decrypter interface.

type PKCS1v15DecryptOptions struct {
// SessionKeyLen is the length of the session key that is being// decrypted. If not zero, then a padding error during decryption will// cause a random plaintext of this length to be returned rather than// an error. These alternatives happen in constant time.
SessionKeyLen int
}

type PSSOptions struct {
// SaltLength controls the length of the salt used in the PSS// signature. It can either be a number of bytes, or one of the special// PSSSaltLength constants.
SaltLength int// Hash, if not zero, overrides the hash function passed to SignPSS.// This is the only way to specify the hash function when using the// crypto.Signer interface.
Hash crypto.Hash// Go 1.4
}

type PrecomputedValues struct {
Dp, Dq *big.Int// D mod (P-1) (or mod Q-1) Qinv *big.Int// Q^-1 mod P// CRTValues is used for the 3rd and subsequent primes. Due to a// historical accident, the CRT for the first two primes is handled// differently in PKCS#1 and interoperability is sufficiently// important that we mirror this.
CRTValues []CRTValue
}

GenerateMultiPrimeKey generates a multi-prime RSA keypair of the given bit
size and the given random source, as suggested in [1]. Although the public
keys are compatible (actually, indistinguishable) from the 2-prime case,
the private keys are not. Thus it may not be possible to export multi-prime
private keys in certain formats or to subsequently import them into other
code.

Decrypt decrypts ciphertext with priv. If opts is nil or of type
*PKCS1v15DecryptOptions then PKCS#1 v1.5 decryption is performed. Otherwise
opts must have type *OAEPOptions and OAEP decryption is done.

Sign signs digest with priv, reading randomness from rand. If opts is a
*PSSOptions then the PSS algorithm will be used, otherwise PKCS#1 v1.5 will
be used.

This method implements crypto.Signer, which is an interface to support keys
where the private part is kept in, for example, a hardware module. Common
uses should use the Sign* functions in this package directly.